-
-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deny remote user login with default credentials #18735
Deny remote user login with default credentials #18735
Conversation
089c2a6
to
dbd9eb2
Compare
I support this change. However (and this may be unavoidable), this change blocks local connections for me when qBittorrent is running in a Docker container. I can work around by exposing the host network to the Docker container....and that (ofc) comes with its own implications. FYI if nothing else since I exclusively use qBittorrent in Docker for personal and development purposes; I imagine this also may impact existing qBittorrent images and installation guides. |
It's not a problem to change the username this way, but it's not that easy for a password. |
Can users pass cmd arguments when starting the docker container? (I am a docker noob). |
3cb12c9
to
710f8f1
Compare
fe19e85
to
9dd5456
Compare
src/webui/api/authcontroller.cpp
Outdated
LogMsg(tr("WebAPI login failure. Reason: Remote connection with the default credentials is prohibited.") | ||
, Log::WARNING); | ||
throw APIError(APIErrorType::AccessDenied | ||
, tr("Remote connection with the default credentials is prohibited. Change the default credentials by connecting from the local network, or by using the %1 and/or %2 command line parameters.", | ||
"Remote connection with the default credentials is prohibited. Change the default credentials by connecting from the local network, or by using the '--change-webui-username' and/or '--change-webui-password' command line parameters.") | ||
.arg(u"'--change-webui-username'"_qs, u"'--change-webui-password'"_qs)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LogMsg(tr("WebAPI login failure. Reason: Remote connection with the default credentials is prohibited.") | |
, Log::WARNING); | |
throw APIError(APIErrorType::AccessDenied | |
, tr("Remote connection with the default credentials is prohibited. Change the default credentials by connecting from the local network, or by using the %1 and/or %2 command line parameters.", | |
"Remote connection with the default credentials is prohibited. Change the default credentials by connecting from the local network, or by using the '--change-webui-username' and/or '--change-webui-password' command line parameters.") | |
.arg(u"'--change-webui-username'"_qs, u"'--change-webui-password'"_qs)); | |
LogMsg(tr("WebAPI login failure. Reason: Remote connection with the default credentials is prohibited.") | |
, Log::WARNING); | |
throw APIError(APIErrorType::AccessDenied | |
, tr("Remote connection with the default credentials is prohibited. Change the default credentials by connecting from the local network, or by using the %1 and/or %2 command line parameters." | |
, "Remote connection with the default credentials is prohibited. Change the default credentials by connecting from the local network, or by using the '--change-webui-username' and/or '--change-webui-password' command line parameters.") | |
.arg(u"'--webui-username'"_qs, u"'--webui-password'"_qs)); |
My rationale for the above and for the naming schemeIt depends on the semantics you want to give. These cmd switches make persistent edits to the config file. They aren't meant to be seen as temporary overrides of the config. |
This is a good idea in itself, IMO (something similar has occurred to me). But it contradicts the current semantics, so I object to it. |
ΟΚ. I'll push the requested changes later. |
Other than the 'semantics', passing sensitive information via commandline parameters (especially to a long-time running program) is a very bad idea. For example, in a multi-user machine, someone (one with enough privileges and not necessarily the root) could easily see all your commandline parameters in clear text. And also the sensitive information is in clear text in memory (in argv list) for a long time which is also a bad practice. IMO using |
In that threat model, such privileged users already own you because they can easily either edit your config file or monitor your traffic. Am I wrong? However, your comment reminded me of another possible leak: bash history files. They record each command you give via the terminal. This would require a totally different approach for configuring the password. eg Having qbt to wait for user input in the terminal. Personally I cannot code this in a reasonable timeframe. |
After doing a bit of research, it seems you don't need any privileges to achieve this. So it is valid threat concern. |
So I think you shouldn't provide it in this PR. |
What do you mean? Should I drop the cmd arguments commit? |
Yes. Doesn't it look like you're covering up one vulnerability with another? Of course, CLI is intended not only to be used from a shell like bash, which will save passed parameters in its history file, and an informed user will not use it in this way. But an informed user will also not open access from the outside without changing the default password... |
Maybe instead add command line parameter to set "trusted host" from which alongside with localhost) a login using default credentials is accepted? |
Apparently there are users exposing the webui client to the internet without changing the default credentials. And apparently there are attackers out there scanning for exposed clients and then logging in with the default credentials and running code (crypto miners). Closes qbittorrent#13833 Closes qbittorrent#16529 Closes qbittorrent#18731
I had an alternative idea: |
This is not an alternative idea. It basically coincides with my intention.
👍
👍
👍 |
Does this have any security implications that we should consider? |
We won't be able to do anything if someone else (or malware) has access to the user's computer to read generated credentials. This is beyond our responsibility. |
The password is limited to the specific user and is local to the machine so I think it is pretty safe. |
Generally I agree but see below.
This will downgrade the current security offered to the user. Now we don't store the password itself but a salted hash of it. |
It is supposed to be printed once generated, i.e. once qBittorrent is started w/o stored password. Then it is stored as usual and never be accessed as plain text. If the user did not remember it at the first launch, then he will have to reset it in the usual way, as it was previously available, i.e. clearing the saved password hash. |
Perhaps the password can be generated every time if the user haven't updated it. |
It is probably easy to miss it in the first launch. And hard to debug afterwards (lots of "hey what's the default password" questions).
Sounds good. However, qBt will need to track this. I am not rejecting the above but where do we stand on the following? Provide a cmd arg for the nox version for configurin credentials (eg |
It's not a problem, IMO. Just don't store generated password so it is always empty at start unless user set custom one and it is stored. |
There should be a field (maybe
But won't you need more code to handle it at webui authentication? I suppose update the webui hash would be easier.
I don't consider it necessary but I don't object it either. IMO it can be done later (not a high priority) if anyone is interested. |
I believe it is better to avoid adding such an additional/temporary entry to the config file, if we can do with a variable. |
The main thing now is to decide about the basic concept, and the implementation details are just details. |
Let me summarize. I think there is consensus for the following:
That being said, I think @glassez's proposition of tracking the "empty" state via a variable is doable. |
@sledgehammer999 please take #18735 (comment) in to account too. Currently, the default password of |
I suppose there may be problems with this in some cases. Also we need to reject "adminadmin" from being set as password. |
Why not detect if the password hash is still equal to
I don't think we need to always reject it since the new default password is randomly generated. We only need to reject it when the user hasn't change it when upgrading from an older qbt version. |
I'm not worried about how to detect this (it's not a problem), but about how to "require a new password" in a non-confusing way. In GUI, we could just show a dialog stating that the existing credentials are no longer valid. But what about no-GUI case? To a greater extent, I worry about systems running in non-interactive mode. |
What does a randomly generated password have to do with it? |
Of course we will have to post a warning on the site that THE DEFAULT CREDENTIALS ARE NO LONGER VALID. Given the severity of the solved problem, the possible transitional difficulties of users can be considered as negligible. |
I presume users would have to check the logs. In fact they do it often when qbt service is not up. AFAIK some service manager will redirect stderr/stdout to their own log.
I don't insist but I don't favor disallowing "adminadmin" as a password if some dumb user really wants it to be (or they could have their reasons). I don't like being a nanny for users. |
Reasonable enough, IMO. |
I am in favor of disabling "adminadmin" for existing users. This is a security fix and a breakage of sorts is warranted. Also it is most likely a mistake for the user to have webui enabled and default credentials. On the WebUI front we can leverage the response to |
In fact, I'll put a similar warning to the news page now that I'll make the 4.6.0 release. "DONT USE DEFAULT CREDENTIALS FOR THE WEBUI. THEY WILL BE DISABLED IN A FOLLOWING RELEASE". |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems appropriate
I think this idea has been altered, but wanted to say, I think the issue with this is users may not know what enabling web gui does, so they may enable and never go change it. allowing change credentials via the API, or web interface, when the default password is still set would let an attacker change the password using the default. =/ |
Superseded by #19777. |
Apparently there are users exposing the webui client to the internet without changing the default credentials. And apparently there are attackers out there scanning for exposed clients and then logging in with the default credentials and running code (crypto miners).
With this PR users will be able to connect with default credentials only from localhost.
If connecting remotely, they login page will show them the reason the login failed and ask them to login locally to change the credentials (or manually set them in the configuration file).
Closes #13833
Closes #16529
Closes #18731